Security Considerations and Conclusion
Applies to: Windows Communication Foundation
Published: June 2011
Author: Robert Dizon
When resources and methods are invoked, all services must be able to authenticate users at both the client and server ends. WCF SOAP services fully support WS-Security standards, which offer advanced messaging security that can be applied to any transport protocol. WCF REST uses the security features that are built into the HTTP protocols, such as digest authentication for user authentication. SSL is still the standard for securing components that use the HTTP protocol.
Microsoft discusses some security options in the "Security Considerations" section of "A Guide to Designing and Building REST-ful Web Services with WCF 3.5". You will often want to use a combination of security solutions, such as custom authentication and SSL, in order to secure resource messages.
For more information about how to secure REST services, see the following:
Securing RESTful services on MSDN at http://channel9.msdn.com/Blogs/ashishjaiman/Securing-REST-ful-services
How to: Host a Secure Service in ASP.NET for Silverlight applications on MSDN at http://msdn.microsoft.com/en-us/library/dd560702(VS.95).aspx
A major difference between WCF SOAP and WCF REST is flexibility. WCF SOAP services supports a wide range of transport protocols, including HTTP. WCF REST services only support HTTP. One point to remember about the SOAP services is that the size of its messages adds a significant overhead. The message size is related to the fact that SOAP is intended to interoperate with different platforms, such as Java. This overhead may be a matter of concern, in terms of performance and scalability, if your application has many transactions, complex data structures, and handles large volumes of data. On the other hand, WCF REST services use the standard HTTP protocol.
The second difference between the two types of services is that WCF SOAP services are an operations-based service. A SOAP client application calls a method that is published as a web service operation on a remote server. The client receives a SOAP response in return. Web services expose an organization's capabilities, such as automated ordering and pricing services that customers can use. WCF REST services are resource-based. A client sends an HTTP request, much the way an Internet browser does, and receives a resource in return, such as data, video, or images.
The third difference is security. Traditional WCF SOAP services support more advanced security measures, such as message-based or federated security. SOAP also offers reliable messaging and transactional services, due to its support of WS-Security specifications, which have evolved over several years.
REST in Windows Communication Foundation on MSDN at http://msdn.microsoft.com/en-us/netframework/cc950529.aspx
WCF Data Services on MSDN at http://msdn.microsoft.com/en-us/data/bb931106.aspx
Previous article: Operation-based SOAP vs. Resource-based REST
Continue on to the next article: Configuration Management Across Multiple Services and Environments